ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this. It’s also worth noting that we will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies. We have a number of good reasons for doing it this way. But first, let’s have a look at perspective.

iPhone User Data: What’s Inside

Let’s make it very clear: no privacy purist should ever use an iPhone (or any other smartphone, probably). iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.

It’s Not About iPhone Backups Any More

Some, but not all, of that information makes its way into iPhone backups produced with Apple iTunes. Protected iPhone backups can be broken into with Elcomsoft Phone Password Breaker; once decrypted, information stored in these backups can be viewed by many commercial products. However, the amount of information that these backups contain is reasonably limited. Analyzing actual iPhone device could provide forensic access to much more data.

Adequate Protection

The amount and nature of information accumulated by iPhone devices called for adequate protection. Starting with iPhone 3GS, Apple was including a hardware encryption chip in all subsequent devices. With iOS 4, the company introduced a feature called Data Protection that enabled hardware-based encryption of all user data stored in iPhone 3GS and subsequent models (iPhone 4, all models of iPad, and latest generations of iPod Touch). Using industry-standard AES-256 encryption, the protection was considered to be adequate against even the best equipped adversaries, including forensic analysts and law enforcement agencies.

Implementation of iPhone File System Encryption

If you’re not interested in technical detail on how Apple iOS 4 protects user data in iPhone devices, you can skip this chapter. Reading it will, however, help you understand and appreciate what was done by ElcomSoft researchers. iPhone, iPod Touch and iPad (referred hereafter as iOS devices) are quite popular with all types of users. Due to their popularity and considering the amount of information about the history of user’s behavior, iOS devices are common subjects to forensic analysis. The most comprehensive technique for iOS forensics is physical acquisition that allows to obtain a bit-to-bit snapshot of iOS devices’ file system. In a way, this is similar to making an image of a disk or dumping a CD or DVD into an ISO file.

The technique worked great until the release of iOS 4. Before that, file system images obtained from iPhone and other iOS devices were perfectly readable with all user data being readily accessible. On iOS 4.x, however, those file system images obtained from the devices were pretty much useless for forensic analysis because the contents of each file were securely encrypted. File system seemed to be intact, though, and it was still possible to get list of files and some of their attributes.

To make things even more complicated for a security researcher, every file is encrypted with its own unique encryption key tied to particular iOS device. Furthermore, certain files are protected with encryption keys tied to both the device and the user’s passcode, meaning that those files can be only decrypted when the device is unlocked by the user. Most notable examples are e-mail files maintained by built-in Mail app.

Breaking the Encryption

Explaining what we did to break this encryption is not exactly easy. In a word, we found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools such as Guidance EnCase or AccessData FTK (or any other tool which supports raw drive images and HFS+ file system). Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition. In particular, those keys include:

Keys computed from the unique device key (UID), which is believed to be embedded in the hardware and is not extractable (so-called keys 0x835 and 0x89B);

User passcode key which is derived from users’ passcode using the unique device key (UID);

Escrow key(s) which are derived from escrow pairing records using the unique device key (UID);

Effaceable storage area which stores number of encryption keys.

Once we've got those keys, we're good to go. File decryption is instant and is only subject to the availability of corresponding content protection key. Some files can be encrypted with keys tied to user’s passcode and to decrypt those you will need the correct passcode or the escrow keys (see below). ElcomSoft provides a tool to brute-force the passcode. The vast majority of files, however, can be decrypted without knowing the passcode.

By default (with “Simple passcode” option enabled), passcodes consists of only four digits, meaning that only 10,000 possibilities exist. Having to enter their passcode pretty often most users keep their passcodes to the default length of only four digits for the sake of usability.

Ten thousand combinations do not sound like much. On a PC, breaking a passcode of this length would only take a few moments. Unfortunately, passcodes can only be bruteforced on the device itself. With iPhone 4, the maximum time of breaking a 4-digit passcode is therefore about 40 minutes, while taking about 20 minutes on average. iPhone 3GS is slower, and it takes a bit longer to break a passcode there. In fact, phones running iPhoneOS 3.x can be broken without knowing the passcode by simply removing it; with iOS 4.x, a valid passcode is required to gain full access.

It is possible to overcome the requirement of having the correct passcode by using escrow keys. Escrow keys are created and stored by the iTunes when you first plug an iOS device to the computer. Having a set of escrow keys collected from a computer to which an iOS device was once connected gives the same powers as knowing the passcode (except that you can’t deduce the passcode itself).

The last thing standing is the keychain. The keychain is a system-wide storage area for application secrets such as user account details, usernames and passwords. While Elcomsoft Phone Password Breaker already has the ability to display the contents of the keychain area, it could only read the keychain from iOS backups. As it turns out, not all data from the system keychain is exported into the backup. For example, the backup password itself is present in the system keychain but is never exported to the backup. Application developers utilizing Keychain can choose whether records stored by their application should go to the backup or not. That said, the complete Keychain including items not included wit the backup can be read and decrypted using the same set of keys obtained from the device.

Another World’s First

What This Means for You

By breaking the protection system of Apple iPhone 3GS and later devices running iOS 4, ElcomSoft opens the possibility of an extremely comprehensive forensic analysis of affected iOS devices. While this is a big achievement in cryptographic terms, iPhone backups produced with Apple iTunes software already contained a lot of sensitive information, including keychains. ElcomSoft makes forensic analysis easier, faster (the extraction of file system encryption keys is nearly instant as opposed to lengthy dictionary or brute force attacks which are required to obtain a password to an iPhone backup) and more comprehensive.

The toolkit we're offering includes updated Elcomsoft Phone Password Breaker which was fitted with new function to decrypt iOS 4.x file system images, as well as an optional tools to obtain filesystem images of the iOS 4.x devices, extract keys required for image decryption, and brute-force passcode.

To make sure those tools do not fall into the wrong hands, we decided to offer them only to established law enforcement, forensic and intelligence agencies as well as select government organizations.

Affected Apple Devices

All Apple devices starting with iPhone 3GS and running iOS 4 are affected, including iPhone, iPod and iPad devices.

This entry was posted
on Monday, May 23rd, 2011 at 8:45 am and is filed under Elcom-News, General, Software.
You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.

It always amuses me when companies like Elcomsoft claim a “world first” such as physical image analysis of iPhones. Well you are far from a world first, you may wish to check your facts. iXam has been doing this for nearly 2 years and I can think of at least one other tool which also does it. Elcomsoft, FAIL fact checking but pass on sensationalising lies 🙂

@Adam, let’s check the facts together 🙂 Yes, there are many products that perform physical acquisition of the information stored in smartphones (including the iPhone) — not only iXAM, but also AccessData MPE, Micro Systemation XRY and some others. And we never said that we’re first here. With the iPhone, this method work perfectly until iOS 4 (with hardware encryption) has been released. It is still possible to get the complete image of the iPhone, but it is (was) absolutely useless because it is encrypted. We were the first who was able to get the keys from the device and… Read more »

Sounds like you need access to the backup or the system it syncs with to get around the passcode and gather the escrow keys. If the iPhone backup is encrypted or Filevault is used on that machine, then you are forced to brute force the passcode. But if you set the phone to wipe keys after 10 failed tries, this eliminates that vector as well.

@Slagell, first part is correct, but the second is not, sorry. We run the attack on the passcode directly “on the chip”, and the system does not recognize that it is being bruteforced, so we can make as many attempts as we want (and have the time for).

This is very interesting! I’m very curious to know, in executing a brute-force to solve an individual’s passcode, how you get around the security setting to wipe the device after a certain number of failed attempts?
It seems, if that setting is enabled, this would prevent a brute-force and subsequent reading of the user data, since exceeding that threshold would cause the encryption keys to be deleted.
Additionally, how much more difficult is the process of solving the passcode, if a users has implemented a complex passcode (as opposed to the default 4-digit code)?

You are right, the research behind this feature is basically the same one which was presented at HITB.

However I would like to stress that we did our research on our own. We became aware of upcoming HITB presentation after we’ve finished our research. Besides, despite of same research route, our set of tools uses somewhat different approach (which we believe allows for greater flexibility and compatibility).

To Martin Schneider: 8-character password (you mean passcode, right?) cannot be cracked with a brute-force attack. But dictionary attack may help (we have not implemented it for the passcode, though). Without the passcode, actually, you can get all the same (i.e. complete/decrypted image) — but only if you get the ‘escrow’ keys (from the computer). If one cannot get (or break) the passcode nor he has the escrow keys, some information is still available. The best way to secure the device is protect it with the good passcode (disabling “simple passcode” option), and provide physical security to both the device… Read more »

No privacy purist would publish their right name on an Internet blog either – LOL.

Thank you for this. As someone concerned with providing our users good advice about their smartphones, this is very valuable information, and backs up our recommendations:
1) do not place restricted information on a phone/mobile nor an unencrypted PC
2) set a long pass phrase to prevent access to your email and things you do have on the phone/mobile.

Adam needs to get his facts straight before talking trash. Our lab of LEO forensic examiners are very interested in learning more and are eager to see. It will be nice since Apple really has NO desire to assist LEOs.

“If one cannot get (or break) the passcode nor he has the escrow keys, some information is still available.”

Is information still available if you can’t crack the keychain which requires either the passcode or escrow key? What kind of information is available since LEOs in the field would be unlikely to have access to your PC?

@ Shaun H, without both the passcode and escrow keys almost all files on user partition can be decrypted, plus some records from the keychain are available (like Wifi, email passwords and probably more).

But you can only get the Keychain from the iOS backup file on the PC which if is encrypted you have to bruteforce that password as well?
So with access only to the iOS device(using complex password) and not the PC you can still decrypt the entire user partition? Any idea if iOS 5 fixes that?

@ priy 1. If we have a device and don’t know the passcode (and don’t have the PC it syncs to) then we can almost all files on user partition (except for Mail.app mail database) and significant part of the Keychain. The exact amount depends on particular applications installed on the device because each application decides which protection level to use for is data and without passcode (or escrow keys) not all levels are decryptable. 2. Apart from metadata (like phone number and maybe IMEI) – nothing. You need to recover backup password first and then you can decrypt everything… Read more »

No, you can actually read Keychain from the physical image of the device filesystem. This of course requires physical access to the device, but the Keychain on the device is “more complete”, so to say. During backup not everything from the device keychain is transferred to backup keychain. For example, the backup password is in device keychain but it’s not transferred to backup keychain.

Without passcode and escrow keys we can decrypt almost all files (see my previous answer), but not all. No idea if iOS 5 fixes that, we haven’t seen or heard anything about it yet.

0-9 + a-z + A-Z gives 62 chars, not 64. Total number of passwords is thus 14’776’336. iPhone 4 has a recovery rate of (roughly) 6 pass codes per second, so that translates to 2’462’723 seconds or 28.5 days worst case or 2 weeks on average. So you might want to consider switching to 5-char password 🙂

Remember, though, that in iOS 4 most of the stuff can be accessed without your passcode, so it isn’t really necessary to recover it to get, say, your call logs, texts, or email passwords.

Guys, I upgraded to iOS 5 on my iPhone 4, and the phone was re-set. / I have chosen to encrypt the backup in iTunes and chose not to include the key in the Keychain. Smart as I was (at that time) I have chosen a password between 15-20 characters long, consisting of upper-, lower case and numbers. / Since i had to enter it only once (for the first backup), I forgot my password. 🙁 I assume brute force wont help, due to the length of the password (though less than 15 char can be skipped). – Any way… Read more »

Well, you’re not alone. Lot of people are in the same situation, really. For passwords of that length brute force is not practical at all. Your only chance is remembering the password you’ve used (or to still run few attacks hoping that password is not that complex). Files from encrypted backup can’t be decrypted without the password. Sorry. Before updating to iOS 5 you could recover your backup password almost instantly, by using either our iOS Forensic Toolkit other similar tools, to access and decrypt contents of your phone’s Keychain – backup password (along with pretty much every password to… Read more »

Hi. Any update on how secure iOS 5 is? Also, how vunrable is data that is also encrypted to AES 256 standard within an encryption app running on the device? Can you crack the device file system but not the added encryption provided by a 3rd party app? Or can you get access to the lot? And lastly, X Shredder claims to completely ‘shred’ the free space on the device thereby utterly destroying any data that was there and putting it way beyond recovery. Would you say that is possible? You can run wipes up to 50 passes, each writing… Read more »

iOS security model is such that encryption provided by any 3rd part app is limited to the app itself (and its data), not the system as a whole. Therefore, such encryption is pretty much useless (with few exceptions maybe). “Cracking” such 3rd party encryption is usually easy. I’ve never heard of “X Shredder”, but there are no way to efficiently recover deleted files on iOS 4/5, even without using such tools. Overall iOS 5 security is better than that of iOS 4, mostly because it is now harder to bypass the passcode. It device is not passcode protected then security… Read more »

Thanx for the reply Andrey. So data shredding is not needed you think? I buy, refurb (if needed) and clean out iOS devices and resell them. I usually put them into recovery mode and run a 35 pass shred, is simply deleting the old file system enough then? TBH, a big selling point of my buy/sell business is telling customers that I completely destroy all their data prior to resale. The shredding is time consuming though, and if the same guarantees about data being impossible to recover can be given by just deleting restoring the device it would make my… Read more »

I think that just running a restore of a device via an iTunes is enough to render old data inaccessible. This is true if device is iPhone 3GS or newer and if it was running iOS 4 or later (i.e. it’s not safe to do this on iPhone 3G with any iOS or iPhone 3GS if it was running iOS 3).

Regarding the encryption apps, it really depends. Most apps we’ve seen do not provide any significant improvement (but we haven’t analyzed all of them obviously).

One newbie question: I have installed iOs 5.01 on my iphone 4, but I forgot to backup a lot of images, videos and notes. Is there any chance of recovering them, or at least part of them?
Thanks in advance.

Hi, Interesting blog post! I have a question about the keychain security on iOS 4.x: Keychain entries of a 3rd party app are protected according their ‘protection class’. For example, the class ‘kSecAttrAccessibleWhenUnlocked’ means that the entry is only accessible when the device is unlocked. Does the OS automatically decrypt all keychain entries with that protection class as soon as the device gets unlocked? If yes, this would mean that on a jailbroken device, a malicious application could read ALL keychain entries because they’re accessible when the device is unlocked and because of the jailbreak, sandbox does not prevent anymore… Read more »

My iPhone backup (3GS running 4.3) was accidentally encrypted by an Apple store employee and then the phone wiped when upgrading to 5.0, leaving me with a lot of unbacked up information in my notes and txts. I read that Elcomsoft might be able to help me with this, but the backup is in iTunes on my MacBook Pro, not a PC (which it says the software is designed to be used with). Is there a way to use the software to break the backup code (such as transferring the backup file to a PC and using it on there)?… Read more »

On Mac iTunes stores backups in ~/Library/Application Support/MobileSync/Backup/. Navigate to this folder (Shift-Command-G in Finder), locate required backup and copy Manifest.plist file from the backup directory to the PC. THis is the only file required to run password recovery, so you do to need to transfer whole backup (which may be quite big).

I was hoping you would be able to shed some light as to the potential for data accessibility on an iPhone assuming the following conditions: iPhone (model X) loaded with iOS 3.x or higher is physically disassembled MLB is physically damaged beyond repair (cut in half) All chips, except the Flash, are removed and/or damaged beyond repair Assuming the Flash chip is removed from the attached MLB without damage, what current possibilities exist to still recover usable data? This may seem like a weird question to ask, but our goal is to ensure the data on the Flash chip is… Read more »

We have never evaluated such scenario, although my understanding is that (on iOS 4 and iPhone 3GS and newer) Flash contents are encrypted and decryption would require access to unique per-device encryption key which is probably embedded in application processor.

I’d like to know if a jailbreak affects in any way the security of an iPhone. And how is the new version of 5.1 in terms of security? Can you still find many things about an user even if you didn’t crack his passkey?

IF you can physically open the device without disturbing the memory contents and then remove the memory chips assuming they are non volatile, they can be reverse engineered in a lab replete with a FIB, Hiring FIB time is low cost, quick and a sure way to extract data. Surer than the software, and then a copy of the data can be inspected non destructively, and even if software traps are triggered just load another copy.

This key can be obtained/decrypted only using physical acquisition method, e.g. using our Elcomsoft iOS Forensic Toolkit (not really hard for iPhone 4 or older with simple 4-digit passcode, but for iPhone 4S/5, the device should be jailbroken).

hello, i have a mobile unlock shop, often customers bring iphones with icloud locked, some peoples bought phones from ebay and some getting from abroad relatives, whose are rieceving phone in hand they are not aware about ios and its icloud security. some ebay sellers selling icloud locked iphones but buyer not get notice from seller, so the buyer not have any backup data or any pc synced to recover password or apple id. in such case does there any way to read icloud locked phone backup from locked device directly? does ur company’s any product have which can get… Read more »